cancel
Showing results for 
Search instead for 
Did you mean: 

One CAS server for multiple Alfresco servers

arnekaiser
Champ in-the-making
Champ in-the-making
Hi there,
I'm working on a Alfresco CAS LDAP installation. Most things are up and running but I have still some questions. My idea is to have one single CAS Server for SSO for Liferay and multiple Alfresco servers for different customers. The CAS server (with ApacheDS) is configured to search the whole directory (DC=ALL, DC=Customers), the Alfresco servers ldap authentification and synchronisation is configured with this searchbase:

ldap.authentication.userNameFormat=cn=%s,ou=customer1people,ou=custumer1groups,dc=all,dc=customers.

Now I have the following problem:
Every user who has a valid cas login (all users from ou=customer1, ou=customer2…) is allowed to login to the alfresco webclient on server customer1 despite he is definitely not in the list of users which is imported via ldap (I checked the XML files with the LPAD importdata)?
There is one difference between the users who are importet from LDAP and those who can login through CAS: webdav login is only permitted for the LDAP authentificated users, that makes me sure that the LDAP settings for alfresco are correct.
Is there any chance to allow only the members of ou=customer1people,ou=custumer1groups to alfresco on server customer1 even if cas accept all members of my directory.
Another question is is it possible to authentificate against multiple ou like customer1 an support for server customer1, ou=customer2 and ou=support for server customer2 and so on?

I hope some of you will understand what I tried to explain and may have a solution for this setup.

Thanks in advance

Arne Kaiser
4 REPLIES 4

juan
Champ in-the-making
Champ in-the-making
Did you solve it?

arnekaiser
Champ in-the-making
Champ in-the-making
no, its still open.

juan
Champ in-the-making
Champ in-the-making
I have found a workaround for a similar issue;

Import desired LDAP users and change authentication-services-context.xml at line 280:
(change default "createMissingPeople" value from  ${server.transaction.allow-writes} -> false )


<bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init">


        <!– Some authentication mechanisms may need to create people –>
        <!– in the repository on demand. This enables that feature.  –>
        <!– If dsiabled an error will be generated for missing       –>
        <!– people. If enabled then a person will be created and     –>
        <!– persisted.                                               –>
        <!– Valid values are                                         –>
        <!–     ${server.transaction.allow-writes}                   –>
        <!–     false                                                –>

        <property name="createMissingPeople">
           <value>
false </value>
        </property>


</bean>


This way prevents Alfresco from creating any new user.

arnekaiser
Champ in-the-making
Champ in-the-making
Hi Juan,
that sounds like a suitable workaround, ich will try that ass soon as possible.

Thank You!

Arne